Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: EFC Released
From: Balwinder Singh <balwinder () gmx net>
Date: Fri, 05 Mar 2004 12:52:20 +0530

Seems very interesting, but how does it affect performance/stability of the system/kernel?

EFC was quite stable when testing was made on hack us box(around 8
months back). But this is a major rewrite of original code, hence more
testing needs to be done.
As efc is going to add one more layer performance will suffer,
benchmarking will reveal exact performance loss, which is yet to be 

EFC Components
1. Generate and enforce behavior model of a program.
2. Hook with pam lib to let kernel know when each authentication takes
place. Supposed to be useful for sshd,ftpd like programs.
3. Define some critical calls with which must require authentication
from kernel. eg open(/etc/shadow) request by program other than sshd.
4. Define general rule set which might help performance gain. Also might
help in case where behavior model will miss particular call, such as
exception/error handling which might occur occasionally.

As we are far away from a perfect model (and I don't see it happening
unless govt enforces), there will always be some false positives. You
can edit behavior model by hand and add entries in general rules to keep
false positives at minimum.



Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]